Blind OS command injection with time delays Write-up
To access the lab visit the following link
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.
To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.
Target Goal
Exploit the blind command injection in the feedback function.
Blind command injection
Blind command injection is like a sneaky intruder in the world of cybersecurity. It happens when a crafty attacker manages to sneak malicious commands into a system. However, here’s the catch: the application they target doesn’t spill the beans by showing the results of these commands. It operates in a kind of “stealth” mode, which adds an extra layer of challenge for the attacker in figuring out whether their sneaky commands actually worked. It’s like trying to open a locked door without knowing if it’s been unlocked on the other side.
Sleep command
The sleep command in Linux is used to pause the execution of a script or command for a specific amount of time. We can introduce delays in our scripts or to wait for a specific period.
sleep [Number][s|S|m|M|h|H] #general syntax of command
#-> Number indicates the pause time
#-> s|S indicates no of seconds
#-> n|M indicates no of minutes
#-> h|H indicates no of hoursAccess the lab
Click on the given button to access the lab
Burp suite
I have started burp suite community edition with the web application side by side
Route Traffic Through Burp Suite
Now, we will set proxy to burp. FoxyProxy allows us to easily switch browser’s proxy settings to route web traffic through Burp Suite which is crucial for intercepting and inspecting HTTP requests and responses.
Intercepting traffic
Turn on intercept in burp suite and click on submit feedback button on web application. Response will be intercepted.
Fill the feedback form and click on submit feedback.
As soon as the feedback is submitted we will see the POST request submitted in HTTP history tab of burp suite.
Identifying vulnerability
Click on the POST request and we can see the data of request made through burp.
Right click on the data and send that to repeater.
In the repeater tab we can see the csrf parameter which is actually the token used by web applications to ensure that actions initiated on their platform are authorized and not the result of malicious activities by third parties. This helps protect users from unintended actions, such as unauthorized data changes, when they click on links or visit web pages that might perform actions on their behalf without their knowledge.
Performing OS command Injection
Apart from CSRF parameter we can see name, email, subject and message parameters as well. We don’t know which of them is actually vulnerable so Let’s start from name parameter. We will inject command “& sleep 10” after name parameter to find if that’s vulnerable to command injection. Encode that by selecting command and pressing CTRL +U. Click on send button and we can see how web app responded back in burp response tab. On the bottom right corner we can see the execution time of request which is just 273 milli seconds but we injected command to wait for 10 seconds. This means the name parameter is not vulnerable to command injection.
Now, lets try command injection in email parameter. We will inject command “& sleep 10” after email parameter to find if that’s vulnerable to command injection. Encode that by selecting command and pressing CTRL +U. Again click on send button and we can see how web app responded back in burp response tab. On the bottom right corner we can see the execution time of request is just 10,273 milli seconds. The web app responded exactly after 10 seconds This means the email parameter is vulnerable to command injection.
And we can see the lab is also marked as solved.
Mission accomplished!
Congratulations! The walkthrough of second OS command injection lab finishes here.
You can see walkthrough of Third lab by clicking the following link:
